Guarding ultrawealthy clients (and their networks) from identity theft

Many ultrahigh net worth clients spend a good portion of their lifetime building their wealth. Losing that wealth due to identity theft is a nightmare scenario — one that is becoming increasingly common in today's world, as AI automation and efficiencies allow bad actors to increase the scale and impact of their attacks.

Although a recent study found that bad actors cast a wide net when it comes to targeting victims, tending not to discriminate based on wealth, UHNW families may be more susceptible to identity theft due to the large network of professionals and advisors required to manage their day-to-day lives.

It's a network that typically consists of retail and investment bankers, real estate and insurance brokers, attorneys, assistants, household employees and other concierge service providers — many of whom have their own teams supporting them. All of them have some degree of access to the family's personal and financial information. It takes only one slip-up by one person within this large network of people to open the floodgates to identify theft.

As part of a family office that serves wealthy individuals and their families, I often work in tandem with clients and their networks to prevent identity theft before it happens and to take swift action if it does. 

Educate clients and their networks to prevent cyberfraud

Bad actors frequently use social engineering — techniques that leverage psychology to trick individuals into divulging sensitive information — to obtain personal and financial information. Educating clients and their networks on how to identify these attacks is a great way to safeguard against data being leaked in the first place.  

READ MORE: Family offices are ripe targets for cybercriminals; here's how to protect them

For instance, wealthy families often have a diverse portfolio of business interests and investments and manage them through various legal entities to ensure privacy and mitigate risk. Maintaining separate financial and email accounts for each business and/or legal entity is a best practice for limited liability purposes, but doing so can also limit the assets and information exposed due to a compromised account.

I also recommend that clients perform background checks when introducing new persons to their network, such as executive assistants or household employees. They should also consider adopting some form of ongoing monitoring procedures.

Another simple but impactful way to protect clients' wealth is through multifactor authentication, Though not every application provides an option for MFA, applications that do will walk you through the steps to enable it via phone number, face ID, fingerprint scans or a separate application. Even if a password has been guessed or hacked, MFA means that would-be thieves can't access the account without a second or third form of authentication because it requires users to actively participate by confirming each transaction. 

Mitigating damage after identity theft is detected

Sometimes, however, information is exposed due to circumstances out of the client's control, ranging from a corporate data breach to skimming devices placed on ATMs or at gas station pumps. 

If this happens, it's vital that the family office team, executive assistants and other applicable service providers immediately take steps to mitigate the damage. After a client discovers their identity has been compromised, the first step is to file a police report with the local authorities. That report will be used as a supporting document to file an identity theft report with the Federal Trade Commission. Next, report the identity theft on the FTC's IdentityTheft.gov site.

If fraudulent accounts have been opened with financial institutions, it's important to file reports with those companies' fraud departments.

READ MORE: May I have your SSN? Too many of us are saying 'yes'

Another priority step is to prevent bad actors from opening accounts in a client's name. Contact the three major credit bureaus — Experian, Equifax and TransUnion — and tell them to freeze credit.

Beyond the three major credit bureaus, it's important to place security freezes with key bureaus used for opening bank accounts. These include ChexSystems, a national specialty credit reporting agency that collects and reports data on checking account applications; the National Consumer Telecom & Utility Exchange, an organization that collects information from new telecommunications and utility connection requests; and LexisNexis, a service often used by financial institutions to verify an applicant's identity when opening new credit accounts.

Note that unlike requesting a LexisNexis security freeze, "opting out" prevents the company from sharing Non-Fair Credit Reporting Act (Non-FCRA) information with companies that may request it. Non-FCRA providers are entities that utilize public records and consumer data but are not governed by the FCRA. These providers typically operate in areas unrelated to credit, such as aggregating data from public records for investigative purposes, including financial crime investigations, legal investigations and identifying or locating people. Opting out will likely require a copy of the police report, including the complaint number.

IRS, USD — and don't forget USPS

One way bad actors try to exploit data is by filing fraudulent tax returns in an attempt to direct a tax refund elsewhere. This can be prevented by the use of an IRS IPPIN, a form of multifactor authentication that prevents someone from filing a tax without entering this code. A new PIN is issued for each tax filing period and is only available from one's IRS account or via physical mail to the address associated with a person's tax returns. 

READ MORE: 6 ways to keep your tax data secure

We also recommend proactively creating an account with the state Unemployment Services Division to prevent a bad actor from fraudulently filing for unemployment benefits — even if the client would be unlikely to file for such benefits themselves. 

While a lot of fraud takes place online, never forget the importance of physical documentation. Thieves can fraudulently set up a mail forwarding order to gain access to mail. It's important to contact the USPS to ensure that a mail forwarding order, for either a home or business, has not been placed. Once that is verified, the client should sign up for USPS Informed Delivery, which notifies a homeowner or business owner of mail that is expected to be delivered. It's possible that a thief could sign up for this to preview incoming mail.  

A team approach in which the family office, professional advisors and other persons within the client's trusted network work together is invaluable when responding to or preventing and mitigating identity theft and other cybersecurity risks.